(usagi-users 00382) Re: IPSec for IPv6 on Linux available

[Gerhard Gessler <gessler@xxxxxxx>]

Kauznori Miyazawa schrieb:
> 
[snip]
> 
> Hello.
> 
> FreeS/WAN's design uses a IPsec virtual interface, which is called BITS.
> 
> But we don't think it fit for IPv6.

This is correct. I know the the KLIPS interface and it currently only
supports IPv4 (hard wired in code). The FreeSWAN group is planning a
redesign (don't ask me when it will happen) and it seems that they tend
to use netfilter hooks and tables for that. The appealing thing there is
that one can use the netfilter infrastructure for packet matching and
packet mangling. The downside is that the SPD and SADB have to be mapped
into the netfilter tables. As the search inside the netfilter tables is
done in sequence the ordering of the rules for IPsec is very important.

> The reasons are
> - IPsec is a standard function of IPv6. And it should implement in IPv6 protocol stack.

This is what we have done in our code. As you might have seen, we don't
use the KLIPS interface for IPv6 but we have integrated IPSec into the
IPv6 networking stack via funtions pointers.

> - If we adopt virtual interface desing, we have to implement IPv6 protocol stack in
>   IP layer and virtual interface.
> 
> So we independently implement as Sekiya said.

What we have taken from FreeSWAN is their PF_KEY socket interface, their
IKE daemon, and their parsing machinery to extract the information from
the PF_KEY messages. We have hooked us into this parsing machinery,
collect the information and then write this information into our own
SADB.

What plans to you have for the integration of IPSec into IPv6 networking
stack. Perhaps we could use our code as a discussion basis. We really
want to see IPSec for IPv6 in LINUX!

Best regards,

	Gerhard



-- 
---------------------------------------------------
Gerhard Geßler

Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany

Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845

E-Mail: gessler@xxxxxxx